Slashdot Mirror
Schneier On Full Disclosure
Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.
Full disclosure may be good, but full exposure will get you thrown in jail!
"People that quote themselves in their signatures bother me" - athakur999
Everybody seems to like "Full Disclosure," so here at Microsoft, we've decided to begin releasing all security vulnerabilities under a "Shared Disclosure" policy. Once the various NDAs are signed, you too can view and work with any security vulnerabilities that we know about.
Just another example of how Microsoft listens to and responds to customer requests. Have a nice day!
If a tree fell on a florist, and nobody was around to hear it, would he make a noise?
From the powerpoint slide:
Grace Period
Purpose: Give users a reasonable interval during which to protect their systems against newly reported vulnerabilities
- Begins with public notice of vulnerability, and lasts for 30 days
- Is immediately curtailed if vulnerability becomes actively exploited
Do I read this correctly? Does this mean that when an exploit is shown to exist in the wild, then they immediately switch to "full disclosure" mode? This means that there is now an incentive to put an exploit in the wild: it means you can publish your work. Even if you leak the exploit surreptitously.
I know I must be preaching to the choir here, but, this seems exceedingly stupid. Am I missing something?
If guns kill people, then CmdrTaco's keyboard misspells words.
So just hiding information doesn't necessarily make you more secure.
sPh
[1] OK, the Soviet Union had spies inside the project before it started, but that doesn't count!
When you see a fire in a crowded theatre, you:
(A) Shout "FIRE!" and get crushed in the panic.
(B) Walk out quietly...who cares about anyone else?
(C) Tell your closest neighbor and hope that they're a fireman.
(D) Pour on gasoline so everyone will get out faster.
This is the vulnerability of our Nuclear Piles
This is where you can cross the border undetected
This is how to make a Fake ID?
Well maybe I didn't say every single tiny little syllable but basically I said em, basicly.
Culp makes a lot more sense than he's given credit for, and a lot of his points have been taken out of context. The procedure he outlines seems very reasonable to me:
"Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is... and what users can do to protect their systems....
"Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly...
Let's not stir that bag of worms...
The CIA and such are, in this case, in the position of the vendors: it is their responsibility to fix the vulnerabilities.
The disclosure should be done by people who identify the vulnerablities. If you know where you can cross a border undetected, you ought to let someone know. Particularly in that case, the hole would probably get closed pretty quickly. And if some random person notices a hole, it would be pretty easy for someone actually looking for a vulnerability to find it.
For example, if in August (or before) someone had said to the general public something like, "You can probably hijack an airplane with legal objects and then destroy a building with it", the passengers wouldn't have let the hijacking get anywhere, and the hijackers probably wouldn't have tried. There's obviously the risk that some groups that wouldn't have thought of it would get the idea, but it would have gotten fixed in policy before anyone could do anything to exploit it.
Full disclosure is meant to help increase security in dynamicly changing and (supposedly) supported software.
You will note that if you read the article and this is probably the only time where "bug secrecy" is necessary, that is it extremely bad to publish a bug for non-fixable systems(like air traffic control computers). It is good in one sense that the exploit is known (so that they avoid it the next time) but it is bad to let it loose if the system is still deployed and can not be changed and aren't going away soon.
So the continue the allogy, it isn't good to disclose vulnerabilities of nuclear stockpiles because you can't fix them.
Wow, what a troll. The CIA being an "international organization" is a dead give away. The other is the fantastic false analogy between buggy PC software and nuclear bombs. No orgainization currently mass produces nuclear weapons for daily use on every desktop. No one here would recomend such things.
At the same time, some countries like the USA, recognize that free thought is needed for scientific development and that full disclosure and broad education are in the public interest. While the particular techincal details of how to build bombs is kept secret, the physical priciples are trumpeted and encouraged. Indeed public debate on priciples are encouraged as free dicourse leads to knowledge. "Freedom is the ability to say two plus two is four, all else follows", said George Orwells sad character in 1984. While the Department of Energy and their employees might not tell us details, they will not keep you or me from talking about it. With sufficient study at any good US University, a person can learn all they need to know about bomb design. Knowledge is not yet viewed as evil. The truth will set you free and only the free can be sure they know the truth.
M$, Adobe, RIAA, MPAA and other private interests are going a step further than cold warriors with their "information anarchy" campaign. Such blatant censorship is un-American and against the public interest. They will be defeated in the long run, as will trolls like you.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
- Code RedMicrosoft worm.
- LionLinux worm
- SadmindSolaris worm that affected Microsoft OS's (*ack* if you can call them OS's!)
- RamenLinux worm
- NimdaMicrosoft worm
Now that means that a "representative" list of worms would contain 50% Microsoft worms, 40% Linux worms, and 10% Solaris worms. It's good to see Microsoft presenting a legitimate picture of what's going on. C'mon!! Windows practically breeds worms! Linux has had how many? 4, 5? Morris, Ramen, Lion, Adore. That's all I can come up with. Now, do I start listing the Microsoft worms (not to mention virii)?...-------------
All your sig are belong to us.
IWARS.
People, in general, disappoint me. Politicians even more so.
The argument that you can't just shout "fire" in a crowded theater entered the law in Schenck v. United States, 249 U.S. 47, 52 (1919). This was a Supreme Court case concerning whether the government may suppress pamphlets encouraging people to resist the draft. Although I think that case may have been correctly decided (with the distinction being expressing opposition to the draft versus encouraging people to violate the draft law), I wonder if the Court realized they were treading on, or near thin ice, when they used the "Fire" analogy.
So it is with people who use the analogy today. Whenever someone start comparing some kind of speech to shouting "Fire" in a crowded theater, don't get carried away by the emotional appeal but keep an eye on your rights, lest someone try to make off with them.
Copper was being used elsewhere in the war effort, so:
and Swiped from http://members.aol.com/fmcguff/dwmodel/intro.htmfencepost
just a little off
Almost every piece of commercial software you install these days has something in the license like (taken from the Red Hat legalese):
"There is no warantee for the program, to the extent permitted by applicable law. Except when otherwise stated in writing by the copyright holders and/or other parties provide the program "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warantees of merchantability and fitness for a particular purpose. The entire risk of as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair, or correction."
Now someone explain to me why, when software vendors disavow all responsibility for their products, they should be granted some special status with regards to information about those products' misbehavior.
You sound suspiciously like someone who doesn't have sufficient experience in the NT world.
Windows patches and hotfixes are a whole world of pain. SP2 for NT4 erased filesystems. SP6 crippled people running Notes. Hotfixes regularly blow each other away. They're a *mess*, and a good Windows admin will be *very* cautious about applying either hotfixes or service packs for NT/W2K/XP because the QA on them seems to be so low, so often.
Someone suggested that the Manhattan Project go to the United States Treasury and ask for silver.
Of course, this was before somebody suggesting using Uranium and Plutonium. They gave the silver back because it wouldn't blow up. Uranium makes really lousy money on the other hand. Is has a good weight, and it's a bit warm to the touch, giving it a nice feel in your hands. But it tended to cause tumors on the upper thigh, right where trouser's pockets are. So for the treasury and the war department, it was what you'd call a "win-win situation".
If tits were wings it'd be flying around.
-- ;-)
Kuro5hin.org: where the good times never end.